About this course

ET4397IN provides a general overview of network security, attacks and countermeasures. In Advanced Network Security, we will go a lot deeper and take a more technical approach to communication security.

The learning goal of ET4397IN is that you can perform a risk analysis, understand the principle of specific attacks and which countermeasures would neutralize them, in CS4155 we will understand these attacks in detail and learn how to design and actually implement countermeasures as practice.
For example, while in the 5 EC course we explain general vulnerabilities of the WiFi protocols, in advanced network security we dive into the cryptographic and algorithmic background behind these attacks, and build an intrusion detection module that will detect an attack and actively defend the local network against it. We also do review code of specific vulnerabilities in detail, and see how advertiseries map these into PoC exploits and learn how we can detect their presence through network monitoring.

In CS4155, we will have
  • 6 lecture hours per week (instead of 4) which go substantially deeper than ET4397IN,
  • additional 3h of weekly security labs, covering one specific vulnerability end-to-end and investigate defenses against it,
  • a engineering assignment, which teaches you over the term the fundamental concepts and algorithms behind an IDS/IPS system.
CS4155 requires you to have a solid background in at least one high-level programming language, such as C, Java, or Python. As preparation for our discussion of vulnerabilities, you should also have passed "Security and Cryptography".

Course Components

Term Project
Security Labs

Course Content

The following shows the topics discussed in CS4155, the additions to ET4379IN are indicated in blue:

Physical Layer Security

How are telecom networks made? Protection strategies for cables, wireless links and physical installations. Network resilience planning strategies of network operators to withstand disasters and solve infrastructure dependencies. Benefits and limits of physical layer security: or how the bad guys can still tap into communication; Secure (network) device lifecycle management

Link Layer Security

How the Ethernet link layer works and why it is so insecure! Switch design and switch protocols. Port security, VLANs. The 802.11 protocol suite, WEP and WPS. WPA2, WPS, 802.1X port-based network access control, 802.1AE MAC security. The security of GSM and telecom networks.

Network Layer

Best network design practices. How to do network reconnaissance. Address spoofing and associated network attacks. Hijacking the DNS system and effective detection and protection techniques. Secure and Covert Tunnels. IPSec. The policy origin of the Internet and how it influences the deployment of controls. BGP, RPKI and BGPSec.

Transport Layer

Reconnaissance and attacks using the TCP protocol. Secure Sockets Layer and Chains of Trust. Certificate transparency and selected SSL/TLS attacks.

Application and Web Security

Using software vulnerabilities to gain system access. Finding adversaries with Intrusion Detection Systems and Honeypots. Theory and Practice of Firewalls. Security of E-Mail and VoIP, telephony, and messager security protocols.


Meta-data leakages of network protocols. Mix networks and onion routing

Risk Incident Management

Developing a risk management plan. Cyber threat intelligence management and integration. Network incident response and fundamentals of bsiness continuity management.


  • Wireless link security and signal interception
  • Spanning Tree Protocol and switch security
  • VLAN hopping
  • Firewall audit
  • Botnet Defense and C&C Channel Mitigation

Term Project:
Building an IDS/IPS

In the project, we will cover in each week one of the fundamental engineering challenges around a network monitoring and defense solution.

  • Warming up: Building a packet parser

    Learn about the available interfaces to do raw packet monitoring, how to read protocol specifications and turn them into a simple protocol parser

  • Dynamic ARP inspection and network horizons

    In this week, we implement a detection algorithm and countermeasure for ARP spoofing. We experience how an IDS must keep a transaction history to appropriate distinguish between security alarms and benign events and how to deal with OS implementation differences.

  • WiFi Anomaly Detection

    We introduce cryptographic validation of packets. We cover what countermeasures are possible against threats outside the local network, both from a technical and legal side.

  • Fast Packet Matching Algorithms

    Given the response time measurements of an open-source firewall under a DDoS attack as a starting point, we cover high-performance algorithms to implement packet filters.

  • Network Flow Anomaly Detection

    This week we aggregate packets into flows, and apply basic machine learning tools to extract application-specific fingerprints. This allows us to find malbehaving programs, as well as provide an analysts insights into a previous unknown protocol.

  • SYN Flood Mitigation and DDoS Defense

    Implement and measure the effectiveness of DDoS mitigation at the transport and application layer.

  • Intrusion Detection in Encrypted flows

    Much of the application traffic is encrypted by TLS today, which makes its inspection for malicious signatures impossible. In this week, you will learn how enterprise solutions perform TLS termination, and how to design and implement controls so that the solution protects the privacy of its users.

Two audiences, two options

As knowledge of network security has become essential for many disciplines and the course network security is listed in multiple study programs, there are now two variants that cater for the different backgrounds and needs. ET4397IN Network Security covers the concepts of network security, current vulnerabilities and appropriate countermeasures. Students are not required to program, both homeworks and final exam are textual questions on the key ideas. In CS4155 Advanced Network Security, students get in addition to the theory also the opportunity for studying vulnerabilities and countermeasures in networking systems and communication protocols in detail, including in-depth study of protocol security analysis as well as a handson implementation of defense mechanisms on actual systems.

Network Security

  • 5
  • 4 hours per week
  • Understanding of network security key concepts and principles
  • Interactive lectures
  • Basic understanding of networks,
    no programming background required
  • see demos in lecture
  • 60% exam*, 40% homeworks with conceptual questions
    (* Exam may be replaced with a software/hardware project)
  • 10 - 15 h

CS4155 Advanced Network Security

  • 10
  • 6 hours/week, plus 3h lab
  • Understanding, and the ability to perform network detection and implement defenses
  • Interactive lectures, programming tasks / labs
  • Understanding of networks and strong programming background
  • see demos and experiment in labs
  • 40% exam, 60% from homeworks about in-depth protocol analysis/data minining, programming exercises and labs
  • 25 - 30 h